You are here

P T. 2011;36(4): 203-204, 208, 231

Track-and-Trace Drug Verification

FDA Plans New National Standards, Pharmacies Tread With Trepidation
Stephen Barlas

As if the integration of electronic health records (EHRs) into pharmacy operations hasn’t been difficult enough, hospitals will soon face a second Herculean technology task imposed by the federal government—a challenge that most medical facilities and pharmacies don’t even know is coming. A national requirement to “track and trace” prescription drug packages—in order to prevent counterfeit products from getting into pharmacies—is coming down the pike, thanks to California. That state already has its own deadline in place for January 1, 2015; however, the FDA will almost certainly be replacing the requirement with a national standard to keep the drug-supply chain from getting tangled up in 50 different state laws.

The California 2015 deadline for manufacturers to apply an electronic pedigree (e-Pedigree) to each item-level package has been delayed twice before because of anguished cries from manufacturers, wholesalers, and pharmacies that were not ready to comply. The new final deadline is July 1, 2017, for all California pharmacies to authenticate the e-Pedigrees of all packages that arrive at their back door.

“The delays in California gave us a little breathing room,” acknowledges Robert J. Bepko, Jr., RPh, MHA, Director of Professional Services at Norwalk Hospital in Connecticut.

As a result of those delays, the National Council for Prescription Drug Programs (NCPDP), which develops standards for the pharmacy industry, set up its Work Group 17. This group has been tracking the potential impact of a California e-Pedigree requirement on pharmacies. In December 2010, Work Group 17 issued a white paper on the topic. Mr. Bepko, a member of the Work Group, says that even after California’s deadline for implementation was delayed, Work Group 17 was made aware of efforts by New York and Massachusetts to develop their own e-Pedigree laws.

“We are hoping for a national law,” Mr. Bepko asserts.

FDA’s Role and Timetable Are Unclear

It is not clear when the FDA will establish a national requirement that would brush away the California program or whether the agency needs authorization from Congress to do that. At a suburban Maryland FDA workshop that took place on February 14 and 15, 2011, Grant Hodgkins, Manager of Strategy, Standards, and Processes at Alcon’s supply chain, asked that very question of Ilisa Bernstein, Acting Deputy Director of the Office of Compliance at the FDA’s Centers for Drug Evaluation and Research (CDER).

“I will defer answering that,” she replied.

The FDA does have the authority to set national standards (as opposed to requirements) for tracking and tracing item-level drug packages, as permitted by the 2007 FDA Amendments Act (FDAAA). The February workshop had been scheduled to obtain industry input on standards for interoperability, authentication, and data management that the FDA plans to write. Many in the audience equated the writing of standards with the imposition of a national requirement to track pharmaceutical packages (“forward”) and trace them (“backwards” from the pharmacy). There was also confusion about the difference between California’s e-Pedigree requirements and the prospective requirements of a track-and-trace system (to be imposed by the FDA at a future date).

The confusion is understandable. There are three major permutations of an item-level drug-tagging system meant to make it impossible for counterfeiters to divert products. All three steps start with a Standardized Numerical Identifier (SNI), as follows: (1) The SNI is established and printed on item-level packages; (2) the SNI is incorporated into an e-Pedigree, which is passed forward only; and (3) the e-Pedigree becomes part of a track-and-trace system, with each person along the distribution channel adding information and being able to be queried backwards to obtain information or to communicate (e.g., the pharmacy with the wholesaler or manufacturer).

The SNI is printed in a two-dimensional (2D) data matrix bar code—or, alternatively, on a radiofrequency identification (RFID) tag—on the immediate package as it goes down the packaging line.

In March 2010, in response to a requirement in the 2007 FDAAA, the agency issued guidelines on what to include in the SNI: a serialized National Drug Code (NDC), consisting of the manufacturer’s NDC, plus a unique serial number generated by the manufacturer or repackager for each individual package. Serial numbers should be numeric or alphanumeric. The SNI conforms to the structure of the serialized Global Trade Item Number (GTIN), GS1’s standard for trade item identification. GS1 is a nonprofit organization (formerly called EAN International) with headquarters in Belgium.

Overseas Requirements Are Simpler Than California e-Pedigree or Track and Trace

Turkey and France already have requirements for drug packages to be printed with 2D data matrix codes when they leave a manufacturer’s plant. In this first iteration of an anti-counterfeiting (“point-of-dispensing”) system, however, the codes are simply uploaded to a data repository and then sent down the distribution line to the pharmacy, where that SNI is authenticated via a 2D data matrix bar-code reader.

The e-Pedigree system endorsed by California goes a couple of steps further by requiring the creation of an e-Pedigree for each package, which is passed digitally from the manufacturer to a third-party logistics carrier, through a warehouse, and to the pharmacy. First, the package is placed at the end of a packaging line inside a case with similar packages; the case is also given an SNI. The package and case SNIs are matched up, forming a “parent/child” relationship.

The information, in the form of a digital shipping document tied to a specific customer order, is passed along the distribution channel and is added to the package every time it changes ownership. These pedigrees would be formatted based on a GS1 standard called the Drug Pedigree Messaging Standard, which was developed in 2007. However, many consider that standard to be antiquated. GS1 is working, ever so slowly, on an updated standard.

A track-and-trace system is similar, allowing for communications to go backward; however, an e-Pedigree can be forwarded only. In track-and-trace systems, when the product changes hands, the new data that were entered into the pedigree are sent back to the repository, which maintains the product’s travel history. For example, a pharmacy can query a wholesaler or manufacturer or can send an acknowledgment that a shipment was received. All participants in a manufacturer’s supply chain would have some access to that data repository, although access might be controlled by the drug’s manufacturer or by a third party, often a government agency.

In both e-Pedigree and track-and-trace systems, theoretically at least, cases must be opened in a warehouse, and the 2D bar codes on the packages must be read to ensure that the packages inside are the ones sent by the manufacturer. This is a huge problem for manufacturers and distributors, especially in terms of the time it is expected to take and the associated costs. California allows inference, whereby wholesalers and others would not have to pull the cases apart to check SNIs or affirm the parent/child relationship between each package and the case.

Dirk Rodgers of explains that California’s Board of Pharmacy must draw up rules so that companies will know how they can make use of inference. He says:

“It is possible that the Board could create rules that define the concept so narrowly that it will be a far cry from what the industry means when they use the term. We’ll have to see where they take it.”

Costs Rise as Requirements Expand

There are also broader implications for manufacturers stemming from requirements for repositories, inference, and the like. Steve Drucker, Director of Global Pharmaceutical Commercialization in Packaging Technologies and Compliance at Merck, explains:

In a full track-and-trace system, you have to make changes to your manufacturing management systems, warehouse management systems, and order-to-cash systems to track item-level SNIs and maintain the parent/child data instead of simply tracking lot numbers, which is what we do now. It is a huge endeavor, and the complexity is far beyond anything we have tried before, as are the costs.

He says that the estimated costs for full track-and-trace compliance are as high as $100 million.

The challenges and costs for pharmacies mount as one moves up from a point-of-dispensing system (the main requirement is to verify the SNI), to e-Pedigree (pharmacists must decommission the pedigree), to track and trace (pharmacists must communicate with physicians as well as manufacturers).

These possibilities raise all sorts of questions for hospital pharmacists such as Robert Bepko, Jr. He already has a pharmaceutical inventory system that he purchased from McKesson, his wholesaler. In addition, his hospital is in the process of installing an electronic health record (EHR) system from Cerner in order to qualify for Medicare incentive payments for capital costs—and to avoid Medicare penalties for not implementing an EHR system. He says:

If we knew what was going to be expected of us, we would work toward that end. If the Joint Commission, the Drug Enforcement Agency, or the FDA comes in to a pharmacy and asks a pharmacist to show them pedigrees for the month of March, the pharmacist can pull up that list from McKesson. But what if they want to see the pedigrees for patient Mr. Jones? Does that default to the Cerner system? So you can see the difficulty we have here—preparing for what we don’t know.

Each additional responsibility adds pharmacy costs, and a full track-and-trace requirement is likely to be very costly to all pharmacies. Chrissy Kopple, Vice President of Media Relations at the National Association of Chain Drug Stores, says that proposals that would mandate the tracking and tracing of prescription drugs are faced with complexities, technical and feasibility issues, and substantial costs for all drug supply chain stakeholders. She says that these systems have not been developed or fully tested yet and have not been evaluated in pilot programs; they also lack uniform national standards and patient privacy safeguards.

So far, wholesalers such as McKesson haven’t focused on helping their pharmacy customers get ready for e-Pedigrees, much less track and trace. Ron Bone, Senior Vice President of Distribution Support at McKesson, explains:

Once we have established a process to quickly on-board manufacturers, we will then be able to use this as a basis for on-boarding our pharmacy provider community. With the California pedigree deadline for the provider community at July 2017, we have not engaged with this segment as yet.

Pharmacies Are Particularly Vulnerable

Pharmacies, to a large extent, have been at the mercy of the drug manufacturers, which have been driving the drug package identification process through their involvement with GS1, the global standards group. The FDA’s designation of an SNI in March 2010—based on a GS1 standard—illustrates why pharmacies in particular are worried about the FDA’s next steps—establishing standards for interoperability, authentication, and data management.

The FDA’s SNI guidance prescribed an identifier that contains the National Drug Code and a second 20-digit alphanumeric code that a company would choose and that would be unique to a particular drug package. (There is no requirement that the SNI guidance must be followed, but it is, in essence, a de jure standard.) Pharmacy data systems, however, use a field that allows for only 19 characters. That field is set by a standard from the NCPDP, and pharmacies use it to send data to health insurers when a patient comes in to fill a prescription.

“We would have to make changes to our data systems to accommodate the FDA’s SNI,” says John Klimek, RPh, Senior Vice President of Industry Information Technology at the NCPDP.

Part of the concern within the pharmacy community is that the FDA relied too heavily on GS1 in writing the SNI guidance, and the agency might do so again when it writes the new standards. Phillip D. Scott, Senior Vice President of Business and Development at the NCPDP, explains that GS1, which is dominated by large drug manufacturers, has “owned” the e-Pedigree space, but its initiatives essentially stop when the package gets to the pharmacy back door.

“We have felt for some time that we need to make sure that any transaction could translate once it got inside the pharmacy, to the physical transaction of filling the prescription,” he says.

The NCPDP set up Work Group 17 partly as a watch group to provide information to the FDA, which would counter GS1’s Big Pharma slant.

The formation of the NCPDP Work Group, as well as the issuance of its December 2010 white paper, is just one indication of the pharmacy industry’s interest in what the FDA is doing. Companies represented at the FDA workshop on February 14 and 15 included Walgreens, Osborn Drugs, CVS Caremark, Wal-Mart, Rite-Aid, and several pharmacy associations, such as the American Society of Health-System Pharmacists.

Swedish Pharmacy Pilot Program Provides Hints

So far, almost no work has been performed in the U.S. on the potential impact of pharmacy authentication of drug package pedigrees. The only pilot program ever instituted was in Sweden under the auspices of the European Federation of Pharmaceutical Industries and Associations. In this point-of-dispensing pilot program, which took place in September 2009, 25 of Sweden’s Apoteket AB retail pharmacies verified 2D data matrix bar codes on 95,000 drug packages supplied by 14 drug manufacturers. All participating pharmacies were equipped with new scanners that could read these codes to verify the products. Existing point-of-sale software was also amended to include the necessary extra functionality. Product verification and dispensing operations were fully integrated into the ordinary pharmacy workflow.

Although each pharmacy in the pilot program received the new camera-based scanning equipment, the pilot report does not indicate that cost or the cost of software upgrades. The pharmacies were basically able to integrate package verification via the new bar-code readers into the everyday workflow with little difficulty; however, this was possible only because of the high rate of e-prescriptions already coming through the pharmacies, the quality of the Apoteket point-of-sale systems, and the standardization of systems within the Apoteket pharmacy network.

Turkey already imposes a point-of-dispensing requirement on all incoming drug products; thus, American manufacturers packaging products for Turkey are now serializing drug packages for that country. These companies include GE Healthcare, which packages contrast media products used in conjunction with x-ray and magnetic resonance imaging (MRI) devices at its manufacturing facility in Cork, Ireland. Those products go to Turkey, the U.S., and elsewhere. GE Healthcare hired Optel Vision of Canada to serialize that packaging line; as products move down the line, each one is given a different Global Trade Item Number.

When the Cork packaging line becomes fully operational, perhaps by the end of 2011, GE Healthcare will serialize 12 other lines in Norway, Ireland, and Shanghai, says Gordon Glass, Director of Manufacturing Project management. He is now deciding between two vendors for an Electronic Product Code Information System (EPCIS) for data management. EPCIS is a GS1 standard that allows “event” data on the packaging line to be uploaded to a data repository and to be shared with other company data systems as well as systems outside the company.

Turkey uses GS1 standards (mainly the Global Item Trade Number unique numbering scheme), as does France; other European countries that are working on their own requirements will probably also use it. That puts the pressure on the FDA to also pay close attention to standards of interoperability, authentication, and data management that GS1 is developing.

The FDA, however, will have to consider the needs of all players, not just Big Pharma. That probably will force the agency to make some tough choices. For example, according to Bill Fletcher, Managing Partner of Pharma Logic Solutions, the larger pharmaceutical companies favor a distributed database, which each company controls, instead of a central data clearinghouse, which is run by a third party chosen by the FDA.

“Small pharmacies at the end of the supply chain will likely not be able to support costly distributed systems and will likely require faster authentication response times than larger wholesalers,” he said.

How Heavily Will the FDA Lean on GS1?

Mr. Fletcher and others have argued that GS1 functions as a “Big Pharma boys club.” Multinational companies can pay upwards of five figures for membership in GS1, and they, for the most part, “pay the bills,” since GS1 is a nonprofit organization. Jon Mellor, a spokesman for GS1 Healthcare U.S., explains, though, that more than 80% of GS1 members are small to medium businesses spending in the three or four figures. Bill Fletcher is a member, but he has mixed feelings about GS1. He says:

They are open to new ideas, but it would be easier to develop standards for Pharma if we didn’t have to contend with their bureaucracy. The weekly participants in the work groups are from very Big Pharma, wholesalers, and a handful of solution providers. In fact, my joining, because I am an unbiased subject matter expert and consultant, required special approval.

Apart from questions about how representative the organization is, GS1 has had some issues with the standards it has already developed. Right now, even the e-Pedigree messaging standard that GS1 adopted in 2007 is under fire; it was rushed into final form to meet the needs of a Florida law that was going into effect at the time.

Ruby Raley, Director of Health Care Solutions at Axway, explains that the document pedigree-management system standard adopted by GS1 focuses on collecting data on a package’s chain of custody. The system does not provide information about the physical location of the package at a particular moment in time, based on an SNI.

Bob Celeste, Director of GS1 Healthcare US, admits that the current data-messaging standard is ill-suited to an e-Pedigree system. He explains that it was developed in 2006 to meet the requirements of a Florida law that required the passing of master data, which every participant in the distribution chain adds to, resulting in considerable redundancy of information. However, he admits that there is not much going on with that standard.

GS1 is now in the process of developing new standards that could be used by the FDA as the basis for a robust track-and-trace system, in which data would flow forward from the manufacturer; the pharmacy could also query back to the wholesaler and manufacturer. For example, a pharmacy could send a receipt back to a trading partner to acknowledge that the pharmacy received a shipment or even a particular package. To accommodate the needs of pharmacies for this type of reverse data transmission, GS1 is developing a discovery service standard.

Whether or not the FDA leans on GS1 as heavily as it did in coming up with SNI guidance, the agency will be under pressure—in an antiregulatory environment—not to go overboard in terms of the complexity of the standards it writes. At its February workshop, the FDA presented some preliminary thoughts on its forthcoming standards. McKesson’s Ron Bone says:

Authentication, as the FDA defined it at the meeting, is slightly different than how the industry has been looking at it. Now that we have insight into what the FDA is proposing, the industry can discuss the ramifications and effectively address it in our responses to the docket due on April 16.

The FDA is likely to be inundated with various entreaties. Wholesalers such as McKesson and the large, multinational drug manufacturers will dominate the chorus. The question is whether the pharmacy industry’s voice will be drowned out.